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Abstract 

Information flow analysis is a powerful technique for reasoning about the sensitive 
information exposed by a program during its execution. While past work has proposed 
information theoretic metrics (e.g., Shannon entropy, min-entropy, guessing entropy, 
etc.) to quantify such information leakage, we argue that some of these measures not only 
result in counter-intuitive measures of leakage, but also are inherently prone to conflicts 
when comparing two programs Pi and P2 — say Shannon entropy predicts higher leakage 
for program Pi, while guessing entropy predicts higher leakage for program P^. This 
paper presents the first attempt towards addressing such conflicts and derives solutions 
for conflict-free comparison of finite order deterministic programs. 
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1 Introduction 

o\ 

Protecting sensitive and confidential data is becoming more and more important in many fields 
of human activities, such as electronic commerce, auctions, payments and voting. Information 
flow analysis is a powerful technique for reasoning about the sensitive information exposed by 
a program during its execution [1-3]. Existing approaches to information flow analysis can 
be broadly classified into two: qualitative and quantitative approach. Qualitative information 
flow analysis, such as taint tracking [4,5], are coarse-grained — often only distinguishing 
between possible leakage and no leakage. 

Recently, quantitative information analysis [1,6-8] techniques have been proposed to al- 
leviate this problem by offering a more fine-grained quantitative assessment of information 
leakage. Such techniques adopt information theoretic metrics [9, 10] such as mutual infor- 
mation between the secret /sensitive input to a program and its public output to quantify 
information leakage, as shown in figure 1. In doing so, several entropy measures have been 
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Figure 1: Quantification of Information Leakage in a Program 



used to assess mutual information, including, Shannon entropy, Renyi entropy, Guessing en- 
tropy (see [6,7,11] for more details), and so on. However, in most past work, the choice of 
such entropy measure has been ad hoc (mostly driven by sample programs) — sometimes 
leading to counter- intuitive results. Consider the following two programs (by Smith^), where 
the secret input A is uniformly distributed 8/c-bit integer with k > 2, & denotes bitwise and 
and o 7fc_1 l fc+1 denotes a binary constant. 

PROG PI 

if A = mod 8 then 
O = A 

else 
O = 1 

end if 

PROG P2 

O = A & (p-ii fc+1 

Intuitively, one might argue that PROG PI has much higher information leakage than 
PROG P2 when k is large, because it reveals complete information about the secret input 
with probability |; on the other hand, when k is large, PROG P2 reveals roughly | of the 
number of bits in A. However, applying Shannon entropy measure and computing the mutual 
information I\ between A and O yields a counter intuitive result: 



i.e., leakage by PROG PI is smaller than leakage by PROG P2, which violates popular con- 
sensus in information leakage literature [6,7]. Indeed, from a security standpoint, PROG PI 
leaves A highly vulnerable to being guessed (e.g., when it is a multiple of 8), while PROG P2 
does not (at least for large k). 

In this paper we argue that past work has failed to address which entropy measure(s) is 
best suited for quantifying information leakage. Further, this paper shows that some of these 
entropy based measures (proposed by past work) may be conflicting when they are applied 
to two programs Pi and P^, i.e., entropy measure H predicts higher leakage for program Pi, 
while entropy measure H' predicts higher leakage for program P 2 . This paper (to the best 
of our knowledge) presents the first attempt to analyze different information leakage metrics, 
show the existence of conflicts in measures proposed by past work and propose a new method 
for comparing information leakage in finite order deterministic programs. 

Outline. The paper is structured as follows. In Section 2, we present a program model for 
finite order deterministic programs. Section 3 shows the existence of conflicts between leakage 
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measures proposed by past work, followed by our conflict-free leakage metric in Section 4. 
We analyze a few sample programs using our leakage measure in Section 5 and conclude in 
Section 6. 

2 Model Framework 

In this section, we present a formal model for a single-input single-output (SISO) deterministic 
program and Renyi-entropy based definition of information leakage. A SISO deterministic 
program is modeled as a group of onto mappings: O = F\^\(A),W\A\ G N + , where A is 
the high (secret/sensitive) input and O is the program output, where |*4.| denotes the size 
of the high input set. In other words, for every \A\ G N + , i 7 ]^ is an onto mapping from 
A G A — {0, 1, ...|^4| — 1} to O G O. We note that \A\ acts a tune able security parameter for 
the program; assuming \0\ is fixed, one may be able to increase \A\ with the goal of improving 
the security level of the program. More formally, a SISO deterministic program is defined as 
follows: 

Definition 2.1. A SISO Deterministic Program is denoted as a 4-tuple (qui, \A\, F\m, Pui), 
where V|«4| G N + , A is a random variable in A = {0, l...|^4| — 1} with distribution vector 
Q|.4|> O = F\a\(A) is an onto mapping from A to O, and denotes the distribution vector 
of output O under mapping F\a\(-). 

A SISO deterministic program (q\A\, \^\, F\a\^P\a\) ^ s sa ^d to be a Finite Order SISO De- 
terministic Program (FOP) if and only if 

sup Hpi^iIIo < oo 
|^|eAr+ 

It is called an Infinite Order SISO Deterministic Program (IOP) if and only if 

sup Hpi^iIIo = oo 

where ||p|^|||o is the zero norm ofp\^\. 

Unless explicitly specified, in the following portions of this paper, we assume that the 
secret input A has an uniform prior distribution in A for any |^4|. 

A key difference between FOPs and IOPs is that the entropy of output O is bounded 
for FOPs, and so is information leakage. Assuming that \0\ is fixed (independent of |^4|), 
intuitively the security level of a real FOP will be non-decreasing in |*4|. In the following 
portions of this paper we focus on information leakage metrics for FOPs. 

Having formalized the program model, we define leakage using Renyi entropy [12], which 
covers most of the entropy metrics adopted by past work on information flow analysis [6, 7, 
11,13], such as Shannon entropy, min-entropy, vulnerability one-guess entropy (proposed by 
Hamadou et. al, [6]), etc. Renyi entropy is defined as follows: For a random variable X with 
distribution p = (po,Pi, ■■■,Pn), its Renyi entropy is defined as: 

1 n 
H a (X) = —\o g J2p? 

i=0 
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where a is a parameter. In this paper we also apply H a (p) to denote H a (X). When a — 1, 
Renyi entropy becomes Shannon entropy; when a — > oo, H^X) = — logsup^j is the min- 
entropy; when a = 0, H (X) denotes the vulnerability one-guess entropy. 

According to general consensus in information flow analysis literate, information leakage 
(IL) of a program C = (q|^|, \A\, F\a\, P\a\) (at a given |^4|) under a-Renyi entropy metric is 
defined as the mutual information I a between O and A: 

IL a (C, \A\) = I a (0, A) = H a (0) - H a {0\A) = H a (0) 

where IL a (C, \A\) denotes a class of information leakage metrics (for different values of a) of 
program C. Note that since the program is deterministic H a (0\A) = 0,Vo;. 

It is worth noting that the mutual information I a (0, A) may also be defined as I a (0, A) = 
H a (A) - H a (A\0), which differs from H a (0) - H a (0\A) when a ^ 1. This alternative 
definition is not considered here because when A is uniformly distributed, I a (0, A) = H a (A) — 
H a (A\0) reduces to be Shannon mutual information for all a, as shown below: 

H a (A) - H a (A\0) = -\og\A\-J2 p (0 = o)H a (A\0 = o) 

oeo 

— log |^4| + ^P(0 = o) \og\{a : F\ A \{a) = o}\ 
oeo 

= - log \A\ + J2P(0 = o) log (\A\P(0 = o)) = H^O) 

oeo 

In the next section, we show that this definition of information leakage results in conflicts 
when comparing two programs. In the subsequent sections we develop solutions for conflict- 
free comparison of two programs. 

3 Conflicts in Information Leakage metrics 

In this section we show several examples of conflicts while comparing two program's informa- 
tion leakage. Recall PROG PI and PROG P2 from Section 1. Consider the Renyi mutual 
information of these two PROGs when a — 0, 1, oo. 

IL (Pl,2 8k ) = 8k - 3, IL (P2, 2 8k ) = k + 1 
LLi(Pl, 2 8k ) = k + 0.169, /Li(P2, 2 8fc ) = k + 1 
IL^Pl, 2 8k ) = 0.134, JL 00 (P2, 2 8k ) = k + 1 

Note that only the comparing ILo(Pl,2 8k ) and ILo(P2,2 8k ) agrees with our intuition that 
PI leaks much more information than P2; however, comparing JL 1 (P1, 2 8k ) and 7L 1 (P2, 2 8k ) 
shows that PI leaks about the same amount of information as P2; comparing IL 00 (Pl,2 8k ) 
and IL OQ (P2,2 8k ) shows that P2 leaks much more information than PI. We see that the 
leakage measures for different a values conflict with each other, and some of them are even 
counter-intuitive. 

Smith [7] and Hamadou et. al. [6] argue that IL Q is more important than ILi in infor- 
mation flow analysis, because in the above example, IL coincides with the intuition but ILi 
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does not. However, it is not difficult to come up with other examples where IL\ coincides 
with the intuition but IL does not. Consider the following two programs, where the high 
input A is an uniformly distributed fc-bit integer with k > 2 and L is a parameter in A. 
PROG P3 Password Checker 
if A = L then 

O = 1 
else 

O = 
end if 

PROG P4 Binary Search 
if A > L then 

O = 1 
else 

= 
end if 

Consider L = \A\/2. The intuition is that PROG P4 leaks much more information than 
PROG P3, because when k is large, the probability of A = L becomes so low that PROG P3 
leaks almost no information. But PROG P4 always leaks 1 bit of information, irrespective of 
|.4.| . Now, consider the Renyi mutual information when a — 0, 1, oo: 

IL (P3,2 k ) 
JLi(P3,2 fc ) 
77^3,2*) 

We see that the comparing result when a = fails to coincide with the intuition, while the 
comparing results when a = 1 or oo match the intuition. The conflict between information 
leakage metrics for different values of a appears again. 

The following lemma indicates that the conflict between different metrics is very common. 

Lemma 3.1. Wa > 0, j3 > 0, a ^ (3, there exists two SISO deterministic programs C\ = 
(<l\A\, |"4|,7|.4|,p|„4|) and C 2 = (qj^, \A\, F^, p'^) with q\ A \ and qj^ both being uniform dis- 
tributions in A, such that 3D e R + , if \A\ > D, 

IL a {C u \A\) > IL a (C 2 ,\A\) (1) 
ILpidMl) < ILp(C 2 ,\A\) (2) 

Proof. The key idea to construct the programs stem from the following property of Renyi 
entropy 77 Q (p): 77 Q (p) is a monotone decreasing function of a for any specific p. Moreover, if 
p is uniform, 77 a (p) is a constant (independent of a); if p contains a peak probability and a 
large number of small probabilities, 77 Q (p) will decreasing quickly as a increases (see [12] for 
details). 



= 1, 77 (P4,2 fe ) = 1 

= tfi(W'A)' ^4,2*) = 1 
= -log(l-^), 77 00 (P4,2 fc ) = l 
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First, let us suppose 1 < a < (3 < oo. Pick values p 6 (0, l),n£ iV + such that 



1 



log 
log 



2 l-l//3 

(l-Po) a 



< Po < 



1 



n 



a-l 



> 



< 



21-1/a 



ft 



(3) 
(4) 
(5) 



We note that one can first pick p satisfying (3); then, to satisfy (4) and (5) one simply needs 
to choose a sufficiently large value for n. 

Specify the mapping function i 7 ]^! for Ci so that the distribution of O is = (po,Pi, ■■■,Pn) 
with p chosen as described above and p\ — ... — p n — — — for any \A\ > n + 1, and specify 
the mapping function for C 2 so that the distribution of O' is p|^| = (1/2, 1/2) for any 
|^4|. Then, for any |^4| > n + 1, 



1 



IL a (C 1 ,\A\) = H a (p lAl ) = Y — log 

1 



IL (C U \A\) = H fi (p\ A \) 



1 - 



log 



Po + 



p"o + 



;i-p ) c 



n 



a-l 



> l = H a (p\ Al ) = IL a (C 2 ,\A\), 
< l = Hp(p\ Al )=ILp(C 2 ,\A\), 



equations (1) and (2) are satisfied. 

In the case that 1 < (3 < a < oo, switch the mapping function of F\ A \ and F! A , above, so 
that the distribution of 0\ A \ is q and the distribution of 0', A , is p, then (1) and (2) are still 
valid. 

Second, suppose < a < j3 < 1, pick 2 < m, n G so that 



I — a 



log 



> log m > 



1 



1-/3 



lot 



1 



1 



(6) 



A sufficiently large n for (6) can make it possible to choose a valid m. 

Specify the mapping function F\ A \ for Ci so that the distribution of O is p^ = (po,Pi, ■■■,Pn) 



with Po = I and p\ 



Pr, 



2n 



for any |^4| > n + 1, and specify the mapping function 



F{ A \ for C 2 so that the distribution of O' is p|^| = (1/m, 1/m, ...1/m) for any |^4|. Then, for 
any |^4| > n + 1, equations (1) and (2) are satisfied. The case of0</3<a<l can be proved 
by switching F\ A \ and F! A , as done before. 

Third, suppose a and j3 belong to [0, 1] and [1, oo] separately. For example, if a < 1 < /3, 
pick a value /3' such that a < (3' < 1, and construct C\ and C 2 by the same method above, 
with f3' in place of (3. Then (1) and (2) can be satisfied because IL^(C 2: \A\) = ILp(C 2 , \A\) = 
IL a (C 2 , \A\) as pj^i is uniform. Equations (1) and (2) in other case of a and (3 can be justified 
in the same way. 

□ 



4 Quantifying Information Leakage in FOPs 

So far we have shown that some measures of information leakage are not only counter-intuitive, 
but also introduce conflicts when comparing two programs. In this section we develop a new 
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approach to quantify and compare information leakage in programs. We first sketch the key 
idea behind our approach. Recall that in FOPs, \A\ acts as a security parameter for the 
program — intuitively, increasing |.4.| increases the security level of the program (since, \0\ is 
finite and constant — independent of |^4|). Recall the password checker PROG P3 — observe 
that increasing the length of the password (A) by one bit doubles the security level of the 
program. 

In this paper we propose that two FOPs C\ and C 2 should be compared by examin- 
ing lim^i^oo IL a (Ci, \A\) lim^i^oo IL a {C 2 , \A\). In particular, we show that one can obtain 
conflict free comparison of programs using a relative leakage metric defined by the ratio 
lim^i^oo Evidently, if the relative leakage metric is 0, then program C 2 leaks more 

information than program C\\ if the relative leakage metric is oo, then program C\ leaks more 
information than program C 2 . Now, if the relative leakage metric of programs C\ and C 2 is 
a constant c (c ^ 0, oo), one may increase the size of the secret input (namely, log|^4|) for 
program C\ by a constant factor relative to the size of the secret input for program C 2 to 
ensure that the programs C\ and C 2 have equal security level; hence, in this case we conclude 
that the programs C\ and C 2 are equal with respect to information leakage. In this section, we 
formalize this intuition and present a conflict-free approach to comparing information leakage 
in FOPs. 

We first show that for any C = (q|^|, |^4|, F\a\, P|^|), IL a (C,\A\) is closely related to 

IIpwIU- 

Lemma 4.1. V2 < n G iV ; for any probability distribution vector p = (pi,P2, ■■■Pn) with 
ordered sequence ||p||oo = Pi > P2 > ••• > Pn, then, 

VI < a < 00, hm = (7) 

1 — pi a — 1 

lim -, ^ r = 1 (8) 

Pi-H -(1 -pi)log(l -pi) 

fliminL^i -g&L > 

V«e(0,l), P1 ^^ H % ^ (9) 

[hmsupp^! < 00 

Proof. Consider (7), use substitution t — 1 — p\. When a = 00, 

lim /up) = Bm -lcg(l-«) = 1 

pi->-l 1 — pi t^o t 



When 1 < a < 00, note that Vp with n > 2, 

n 
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so we have 



pi-»i 1 — pi 



i lim (i-t) a -i+Er =2 pr 



1 - a ho 
1 



1 — a 

a 
a — 1 



a + limt Q - i y(p l /t) c 



i=2 



Thus, equation (7) holds. Next consider (J 
When a = 1, note that Vp with n > 2, 



< 



Eft , ft 
7 log T 



< log(n - 1), 



and we have 



#i(p) 



lim — 
pi-)-i (1 -pi)log(l - pi) 



lim 

t->o 



;i-t) io g (i-t) + Er= 2 ft lo gft 



-f logt 

1 — lim — — ( — log — ^ 
t-*) lost 4^ V i 6 t / 



Thus, equation (8) holds. Next consider (9). 
When < a < 1, note that Vp with n > 2, 



l<^(Pi/O a <(n-l) 1-a , 



i=2 



so we have 



#«(p) 



lim sup . 

(i - Pl y 



< 



lim sup V(ft/t) Q < ^ < °°- 

1 — a t^o r-^ 1 — ct 



,1-a 



The other part of (9) can be proved in the same way. □ 
Define a function T a (-) for random distributions p = (pi, P 2, ■■■Vn) with p x > p 2 > ... > p n : 

l- P i, if a > 1 

r«(p) = <-[l-Pi]log[l-Pi], i/a = l (10) 



Lemma 4.1 shows that Va > 0, limnpn^^i is finite. Further, if 2 < n is finite and 

^- < NpIIoo < 1 — e for some e > 0, both H a (p) and T a (p) will be upper bounded by logn < 
oo and will both be strictly larger than zero. This leads us to Proposition 4.2. 

Proposition 4.2. For any FOP C = {q\A\, F\a\, P\a\} q\A\ being uniform in A, we 
have 

IJ^CM^ IL a (C,\A\) 
Va > 0, < inf j- , < sup < oo 

1-41 la{P\A\) \A\ ta(P\A\) 

Proposition 4.2 states that as a is varied, the values of IL a differ among the levels: 1 — 
IIPl^llloo, (l - ||p|^|||oo) log (l - ||p|^|||oo), (1 - ||P|.4|||oc) Q - Note that these levels are all 
related to 1 — | |p|^| | |oo- Intuitively, the rate of convergence of 1 — | jpi^i | |oo to determines the 
security level of a program. We formalize this notion in the following proposition: 

Proposition 4.3. For any FOPs C x = (q\ A \, \A\, F ]A \, P\a\) and C 2 = (q\ A] , F^, p\ A] ), 
with q\A\ and qj^ both being uniform in A. Applying notation 



lAH j iL a (c 2 , \A\y » w-oo iL a (c 2 , \A\y 



we have: 
1. 



3a>0,/ Q = 0^V/3>0,/ /3 = 

3a > 0, f a = oo & V/9 > 0, fp = oo (11) 
3a > 0, < f a < oo V/3 > 0, < fp < oo 



2. 



3a >0,^ = 0^V/3> 0,^ = 

3a > 0, g a = oo V/? > 0, gp = oo (12) 
3a > 0, < g a < oo V/? > 0, < gp < oo 

Proof. It follows directly from Proposition 4.2 that for any a > 0, 

, r\ I- T »(P\A\) „ , ^ ,. ^a(P|-4|) 

f a = <^> hm sup = 0, / Q = oo hm sup - / _ / N = oo 

|^4|— >oo -'avP|.4|J |^4|— yoo 

< f a < oo < lim sup ^r~T^i < oo 

|.4|->-oo 



g a = <^> lim inf "^Pj- 4 ^ = q, g a = oo lim inf "Y^i = oo 

i^Koo -r a (pj^|j i^i- ■ - •- 

< g a < oo < lim inf ^^rK < oo 

\A\^oo l a {P\A\) 



T «(P\ AI ) 


T a \ 


V\A\) 


T a \ 


:pUi) 


T a \ 


[P\A\) 


T a \ 


:pUi) 


T a \ 
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Note that for any intervals T, S C (0, 1) and any variables t G T, s G 5, Vt> G {0, oo}, 

lim sup = f lim sup 4 \ , ^L v = v lim sup 4 ~ra = f, V/3 G (0, 1), 

t 6 T, se s 1 - s teases (1 - sj log(l - s) teT,ses (1 - s)p 

liminf = v <^> liminf ] 0g ^ % = v liminf %-r = v, V/3 G (0, 1), 

tei>es 1 - s tei>es (1 - s) log(l - s) teT,seS (1 - s)/ 3 



which indicates that, 



□ ^ n T T a(P|^|) ,_. w o ^ a v T q(PMI/ 

3a > 0, hm sup = t> Vp > 0, lim sup 



|.4|-k» ^a(pj,4|) |.4|-k» ^a(p[^4|) 

3a > 0,0 < lim sup < oo ^ V/3 > 0, < lim sup < oo 

|.4|-kx) 2a(P|^|) |.4|-»-oo 2a(P|^|J 

□ ^ fl T • f T "(Pl^l) vjo ^ a V • r T "(P|-4|) 

3a > 0, hm ml = t> Vp > 0, hm ml = i> 

3a > 0, < hm mf 11 < oo <=> V/3 > 0, < hm mf 11 < oo 

\A\^oo T a (P\ A \) \A\^oc -T a (P|^|) 

So we conclude that (11) and (12) are valid. □ 

Now, we are ready to present our solution to compare information leakage of two programs: 

Algorithm 4.4. For any FOPs d = (q\ A \, \A\, F\ A \, p\ A \) and C 2 = (qj^, |-4|, F^, pj^), with 
q\A\ and qj^ &o£/i fejnj uniform in A, 
BEGIN PROGRAM 
if foo = oo and > £/ien 

Ci /ias a higher leakage than C 2 . 
eZse if f^ < oo and g^ = £/ien 

C*2 /ias a higher leakage than C\ 
else if < g^ < foo < oo then 

C\ and C2 are on the same leakage level, 
else 

C\ and C 2 are not comparable, 
end if 

END PROGRAM. 

If converges as \A\ — > oo, Algorithm 4.4 can be rewritten as: 

Algorithm 4.5. 

BEGIN PROGRAM 
tflimw-xx, = oo then 

C\ has a higher leakage than C 2 
^se if hm,^ fejg^j = then 

C 2 has a higher leakage than C\ 
else 
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C\ and C 2 are on the same leakage level, 
end if 

END PROGRAM. 

Due to Algorithm 4.5, it is natural to define the leakage level of a FOP C as the rate of 
convergence of IL^iC, \A\) as |*4| — > oo: 

Definition 4.6. Leakage Level For any FOPs C = (q^|, \A\, F\ A \, P\A\) w ^h q\ A \ being 
uniform in \A\, if IL^C, \A\) converges as \A\ —t oo, then the leakage level of C is defined 

to be 0I 14 ! (/MC, \A\))=Q(l- \\v\A\ I loo) ■ 

We claim that algorithm 4.4 (and thus algorithm 4.5) offers a conflict-free solution to com- 
paring information leakage of two programs. The proof follows directly from Proposition 4.3. 
We note that in algorithm 4.4 that there may be cases wherein two programs are incompa- 
rable. However, we claim that it may be impossible to offer a more fine-grained comparison 
of two programs using Renyi-entropy measure as follows. First, we observe that in Algorithm 
4.4, information leakage measures for two are distinguishable if and only if the ratio of their 
min-entropy leakage metric is either = l/oo or oo. The following lemma shows that it is 
impossible to reduce this ratio to some finite D < oo: 

Lemma 4.7. VX> > I, 3a, (3 G (0,oo],a ^ (3, 3 FOPs C x = (q\ A \, \A\, F\ A \, p\ A \) and C 2 = 
(qj_4|, \A\, pj^j), with q\ A \ and qj^ both being uniform in A, such that, 

llm tt TF< i 7T\ > D but 

\a\-hx> IL a (C 2 , \A\) 
ton 'MCi,l4) < I 

\A\^oc ILp(C 2 ,\A\) D 

Proof. We first give an intuitive explanation of the proof of Lemma 4.7 here. Recall from 
Lemma 4.1 that it is feasible to make ^"[p*] as large as possible for distribution p with ||p||oo 
close enough to 1. This allows us to construct a program C\ with ||p|^|||oo close to 1, so 
that we have IL a (Ci, \A\)/ILp(Ci, \A\) > D 2 (when |^4| is large) and a program C 2 with 
IL a (C 2 , \A\) = ILp(C 2 , \A\) = y/IL a (C u \A\)ILp{C u \A\) (when |^| is large). Clearly, the 
constructed programs C\ and C 2 satisfies Lemma 4.7. 

Here we offer a simple example of C\ and C 2 . Choose p G (0, 1), 2 < n G N such that, 

2~ 1/D < po < 1 

OL 

logn > D - log(l - po) 

1 — a 

Specify C\ so that p^ = (p , •••^T i ) for an y \A\ > n + 1, and specify C 2 so that 

P\A\ = (V2, 1/2) for any |^4|. And consider < a < 1, f3 — oo, then 

, Jim \\ a f r lAA }l = V 1 - log bo + (1 " PoTn 1 -"} > ^— log [(1 - po) > D 

\A\-*x> 1 L a [U 2: \A\) 1 — a I — a 

lim [ L / C ' AA }1 = -\og Po <l/D 



\a\-+oo IL p {C 2 , \A\) 



□ 
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5 Experimental Results 



In this section, we report results obtained by applying our technique to compare information 
leakage of two programs. We begin by reexamining PROG P4 using our Algorithms. Consider 
four different parameter values of L: L = \A\/c, L = clog \A\, L = c^\A\, L = c where c > 2 
is certain constant. Then, 



r L = |^|/ C ,JL 00 (P4,|^|) = log[ 3 f T ] 
L = clog|.A|,7L 00 (P4,| > A|) = -log 

L = cv ^4[, 7^(^4,1^1) = -log 



L = c,/L 0O (P4,|^|) = -log 



\A\ 



log |.4| 


1 ~ log |^| 


\A\ 


J ~ \A\ 








. 






~ ]X\ 





According to definition 4.6, for PROG P4, when L = \A\/c, the leakage level is 0(1); 
when L = clog |^4|, the leakage level is O (log |^4|/|^4|); when L = c^\A\, the leakage level is 

O ^1 / \/\A\ j ; when L = c the leakage level is O (1/|^4|). PROG P4 leaks more information 
as L decreases. The result matches the intuition of program flow leakage. Indeed as \A\ — > 
oo then L — — leaks non-zero information (e.g., when c = 2 the program leaks one bit of 
information); while for all other values of c considered above the program leaks almost no 
information. 

Let us now consider program P5 (see below): A is the high input and 1 < L E N + is an 
integer parameter. 
PROG P5 
O = A mod L 

For any value of 1 < L G N + , ||p|.4|||oc = ->■ \ as \A\ ->• oo, so IL^iPh, \A\) is 

finite for all |^4|. Thus P5 with any finite L has leakage level 0(1), which indicates that P5 is 
on the same security level as P4 with L = \A\/c. 

Let us now consider another program P6 (see below): A is an integer with k bits (|^4| = 2 k ), 
and < L < k is an integer parameter. 

PROG P6 

if A consists of L bits of 1 and k — L bits of then 

O = 1 
else 

= 
end if 

Consider different values ofL: L = 0,l,2,3... Then 



JL 00 (P6,2 fe ) = -log 



1 - 



2 k 



(9 

2 k 



Because (^) / ( L ^. 1 ) — > as k — > oo, the leakage of PROG P6 increases as L increases. Actually, 
the leakage level of P6 is O (k L /2 k ). PROG P6 with L = has the same leakage level as 
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PROG P4 with L = c; PROG P6 with L — 1 has the same leakage level as PROG P4 with 
L = clog 1^1). 

We have admit with regret that Algorithm 4.4 still unable to distinguish all FOPs, take 
the following program for example, where A is the high input with /c-bits and L G iV is an 
integer parameter. 

PROG P7 

if log \A\ = k is even then 

O = A mod 2 
else 

O = 1 {A =L} 
end if 

PROG P7 has leakage level 0(1) when log |^4| is even, but has leakage level 0(1/|^4|) 
when log \A\ is odd. When comparing P7 (L = 1) with P4 (L = clog |^4|), we have = oo 
but (jfoo = 0. It is not applicable to determine a constant leakage level of P7 since it switches 
between high and low leakage constantly. 

6 Summary 

In this paper we point out important drawbacks in past approaches to information-theoretic 
measures for quantifying program leakage. We show using examples that some of the metrics 
proposed by past work may not only be counter-intuitive but also conflict with each other. We 
have presented a novel conflict-free approach to compare information leakage in two programs 
and show that it may be impossible to derive a more fine-grained comparison using Renyi- 
entropy based leakage measures. Using several examples we show that the proposed approach 
vastly outperforms past approaches in matching popular consensus on program information 
leakage. 
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